APT attackers getting more evasive, even more persistent

Stealth has always been a hallmark of Advanced Persistent Threats (APTs), but writers of the malignant malware are ratcheting up their efforts to evade detection by system defenders.

Not only have they honed their skills at simulating legitimate documents likely to be opened by the targets they're sent to, but they're also sharpening their delivery techniques to avoid detection.

"The new breed of APT attacks are not monolithic, rather they are blended, relying on numerous infiltration techniques," said FireEye in its Advanced Threat Report for the second half of 2012. The report was released this week.

It cited one APT attack that incorporated well-known documents and white papers into its phishing campaign to infect a target. "The attackers took these normally safe documents and weaponized them," the report said. "These documents were weaponized with a variation of three PDF exploits and two Word exploits."

With the mouse technique, the malware would not perform an operation unless a computer's mouse was in use. It did that to fool an organization's cyber defenses, according to Rob Rachwald, director of research and communications at Milipitas, Calif.-based FireEye.

"It made it look to detection systems like it was software run by a human," he said in an interview. "We've seen some of this in the past, but we've seen more emphasis on this today."

The tactic may be a reaction to companies "sandboxing" applications to catch bad apps before they can damage a system. "It's an effort to bypass traditional, less-sophisticated sandbox technology," Rachwald said.

The virtual machine ploy is a simple one. The malware won't run if it detects that it has landed on a virtual machine. That tactic addresses a growing trend among defenders to use virtual machines to run sketchy apps to determine whether or not they're malware.

"The problem is some of them aren't doing it in a very sophisticated way," Rachwald noted. That allows infected programs to pass the virtual machine test and continue on their infectious path.

APT mongers are becoming more savvy at countering defensive measures mounted against them, according to Ken Silva, senior vice president of cyber strategy at ManTech International in Fairfax, Va.

"The more common that the defensive tools become, the craftier [malware writers] are about how they get around those tools, how they detect them and how they hide from them," he said in an interview.

Once net marauders breach a system, they're also being more careful about getting detected. "They're not leaving traces on a hard disk," Silva noted. "They're just loading into memory and staying in memory."